CSP Header Examples by Platform
Copy and adapt Content Security Policy deployment syntax for HTTP responses, nginx, Apache, Netlify, Vercel, Cloudflare Pages, Next.js, Remix, Express, and Fastify.
What is a CSP header?
Use these examples to place a generated CSP in the right deployment format. For policy strategy by site type, use CSP examples. For staged rollout, use report-only CSP.
Meta tags are limited
HTTP response headers are preferred for a production Content Security Policy header. A meta CSP can help in narrow cases, but it cannot support every directive and should not be treated as a full replacement for server headers.
How do I create a CSP header?
Generate a policy from scan evidence, choose the deployment format for your host or framework, test with report-only CSP, then ship the enforced Content-Security-Policy header when the policy is stable.
Meta tag caveat
nginx CSP header
Apache CSP header
Netlify CSP _headers
Vercel CSP header config
Cloudflare Pages CSP _headers
Express and Fastify CSP middleware
Next.js and Remix CSP headers
Render Go or Gin middleware
CloudFront Function CSP header
WordPress or Apache .htaccess
Rails CSP initializer
Django CSP middleware
Laravel CSP middleware
Spring Security CSP header
Express CSP with Helmet.js
Cloudflare Worker CSP header
Common CSP header formatting errors
- Splitting one CSP header across multiple conflicting headers.
- Forgetting semicolons between directives.
- Using curly quotes around
'self'or'none'. - Deploying only a meta tag when the server can set an HTTP response header.
- Copying a generated header without testing it in report-only mode first.
Compact CSP directive glossary
These are the directives most often involved when you create a CSP, validate a generated policy, or read browser violation reports.
default-src
Fallback policy for resource types that do not have a more specific directive.
script-src
Controls JavaScript sources, inline script hashes, nonces, and risky values like 'unsafe-eval'.
style-src
Controls stylesheets and inline style allowances, including hashes or nonces when used.
img-src
Controls image sources, including common allowances such as same-origin CDNs or carefully reviewed data: images.
connect-src
Controls fetch, XHR, WebSocket, EventSource, and API endpoints.
font-src
Controls web font sources such as local assets, Google Fonts, or a private asset CDN.
frame-src
Controls iframes and embedded content loaded by your page.
frame-ancestors
Controls which parent pages may embed your page and helps prevent clickjacking.
object-src
Controls legacy plugin content. Most modern policies set this to 'none'.
base-uri
Restricts which URLs can be used in a document <base> element.
form-action
Controls where forms can submit data.
report-to
Names a Reporting API endpoint for CSP violation reports.
CSP Header Examples FAQ
Should I deploy CSP as an HTTP header or a meta tag?
Use an HTTP response header whenever possible. Meta CSP has limitations and is best treated as a fallback for narrow cases.
Can I deploy more than one CSP header?
You can, but multiple policies can combine in surprising ways. Most teams should deploy one reviewed policy per response.
Where should I put report-only CSP?
Deploy report-only CSP with the Content-Security-Policy-Report-Only header, not the enforced Content-Security-Policy header.
Generate a CSP header from real scan evidence
Use the CSP scanner and header generator to produce a deployment-formatted candidate, then review and adapt the matching platform syntax from this reference.